CVE-2025-1361 is a vulnerability classified under CWE-285 (Improper Authorization) found in the IP2Location Country Blocker plugin for WordPress. The flaw exists because the plugin's admin_init() function lacks proper capability checks, which are essential to verify whether a user has the necessary permissions to access administrative features. Due to this omission, unauthenticated attackers can remotely access the plugin's settings page and view sensitive configuration data without any authentication or user interaction. The vulnerability affects all versions up to and including 2.38.8. The exposure is limited to information disclosure; attackers cannot modify settings or disrupt service availability. The CVSS 3.1 base score is 7.5, reflecting the ease of exploitation (network vector, no privileges required, no user interaction) and the high impact on confidentiality. Although no public exploits have been reported yet, the simplicity of exploitation and the sensitive nature of the exposed data make this a significant risk. The plugin is commonly used to restrict access to WordPress sites based on visitor IP geolocation, so exposure of its settings could reveal security policies and geographic restrictions, potentially aiding attackers in bypassing controls or planning targeted attacks.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive configuration data from the IP2Location Country Blocker plugin. This information could include IP block lists, country restrictions, and other security policies that help protect WordPress sites from unwanted traffic. Attackers gaining this insight can tailor their attacks to bypass geographic restrictions or identify weaknesses in the site's security posture. While the vulnerability does not allow direct modification of settings or denial of service, the confidentiality breach can facilitate further exploitation or reconnaissance activities. Organizations relying on this plugin for geolocation-based access control may find their defenses weakened, increasing the risk of targeted attacks, fraud, or unauthorized access. The vulnerability affects any WordPress site using the plugin, which could range from small businesses to large enterprises, potentially impacting a broad spectrum of industries worldwide.

1. Immediate upgrade: Update the IP2Location Country Blocker plugin to the latest version once a patch is released that addresses this authorization flaw. 2. Temporary access restrictions: Until a patch is available, restrict access to the WordPress admin area using IP whitelisting or VPN access to limit exposure to trusted users only. 3. Web application firewall (WAF): Deploy or update WAF rules to detect and block unauthorized attempts to access the plugin’s admin_init() endpoint or related administrative URLs. 4. Monitor logs: Enable detailed logging and monitor for unusual access patterns or repeated attempts to access plugin settings without authentication. 5. Principle of least privilege: Review and tighten WordPress user roles and permissions to minimize the risk of privilege escalation or unauthorized access. 6. Plugin alternatives: Consider using alternative geolocation or country blocking plugins with a strong security track record if immediate patching is not feasible. 7. Security awareness: Educate site administrators about the risks of using outdated plugins and the importance of timely updates.